Tusen Takk

DE EN NO

← Back

Privacy Policy

As of: May 2026

1 Controller

The controller within the meaning of the General Data Protection Regulation ("GDPR") is:

Constantin Hirt
Gasborn 23
52062 Aachen, Germany
Email: support@tusentakk.app

2 Scope

This Privacy Policy applies to the mobile application "Tusen Takk" (iOS, and potentially Android) and the website tusentakk.app.

3 What data we process

3.1 Account and profile data

During registration and use, we process the following data:

• Name (display name in the app);
• Email address;
• Password as a bcrypt hash (salt rounds: 10) — the plaintext password is never stored;
• Registration timestamp;
• PayPal.Me username (if stored by the User in their profile);
• Stripe Customer ID and Stripe Connect Account ID (if created);
• Profile photo / avatar (if uploaded).

3.2 Transaction and activity data

• Sent and received Gift Tokens (gift type, amount in cents, status, timestamps);
• Occasion texts and notes optionally entered when sending;
• Selfies and captions uploaded for redemption;
• Approval/rejection decisions and timestamps;
• Chat entries (comments, reactions, photos) in the gift history;
• Points events ("Social Score"), weekly challenges, achievements, friendship connections;
• For unregistered recipients: their email address as a pending gift entry, until registration or for a maximum of 90 days.

3.3 Device and technical data

• Authentication token (JWT, validity 30 days, stored locally on the device);
• Push notification token (Expo Push Service), if the User has enabled push notifications;
• Server log data (timestamp, IP address, user agent, accessed endpoints) to ensure functionality and ward off attacks.

4 Purposes and legal bases for processing

Purpose	Legal basis
Provision of the app, authentication and account management	Art. 6(1)(b) GDPR (performance of contract)
Processing of gift transactions including redemption and payout	Art. 6(1)(b) GDPR
Display of selfies to the Sender for approval	Art. 6(1)(b) GDPR; where applicable Art. 9(2)(a) GDPR (consent), see section 6
Push notifications	Art. 6(1)(a) GDPR (consent) and Art. 6(1)(b) GDPR
Points, levels and leaderboard function	Art. 6(1)(b) GDPR
Server logs for IT security	Art. 6(1)(f) GDPR (legitimate interest)
Compliance with legal obligations (e.g. information and retention obligations)	Art. 6(1)(c) GDPR

5 Recipients and processors

We share personal data with recipients only where this is necessary for the provision of the service or a legal obligation exists. The following processors and independent recipients are used:

• PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg — processing of payouts via PayPal.Me. Only the PayPal.Me username and the payout amount are transmitted.
• Stripe Payments Europe, Ltd., Ireland — alternative payout via Stripe Connect.
• Expo (650 Industries, Inc.), USA — provision of the push notification service. Data transfer to the USA on the basis of EU Standard Contractual Clauses.
• Replit, Inc., USA — hosting and operation of the backend servers (Express) and the app infrastructure. Data transfer to the USA on the basis of appropriate safeguards pursuant to Art. 44 et seq. GDPR (EU Standard Contractual Clauses / EU–US Data Privacy Framework).
• Apple Inc. — distribution of the app via the App Store; technical telemetry data is transmitted in accordance with Apple's guidelines.

Transfer of data to third countries outside the EU/EEA takes place only on the basis of appropriate safeguards pursuant to Art. 44 et seq. GDPR.

6 Selfies and special category data

Selfies uploaded for redeeming a Gift Token typically depict persons and are protected as personal data. Where a selfie contains facial features that may in individual cases be classified as biometric data within the meaning of Art. 9 GDPR, we obtain explicit consent before the upload (checkbox with notice on the redemption screen).

Selfies are not used for automated facial recognition. They are stored exclusively for display in the respective gift history between Sender and Recipient.

The User may withdraw consent at any time with future effect by deleting an individual selfie via the app or removing their entire account.

7 Storage periods

• Account and profile data: until account deletion.
• Transaction data: until account deletion, then anonymisation; statutory retention periods remain unaffected.
• Selfies and chat content: until deleted by the User or upon account deletion, at the latest 30 days after account deletion.
• Pending gifts (email addresses of unregistered recipients): automatic deletion after 90 days without claim.
• Server logs: max. 30 days.
• Push tokens: until withdrawal of push consent or account deletion.

8 Your rights

You have the right at any time to:

• Access to data stored about you (Art. 15 GDPR);
• Rectification of inaccurate data (Art. 16 GDPR);
• Erasure (Art. 17 GDPR);
• Restriction of processing (Art. 18 GDPR);
• Data portability (Art. 20 GDPR);
• Objection to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR);
• Withdrawal of consent with future effect (Art. 7(3) GDPR);
• Lodge a complaint with a supervisory authority (Art. 77 GDPR).

To exercise your rights, a simple message to support@tusentakk.app or use of the "Delete account" function in the app (Profile → Settings) is sufficient.

9 Security

• All data transmission exclusively encrypted via HTTPS/TLS;
• Passwords are hashed with bcrypt and not stored in plaintext;
• Authentication via JWT tokens with limited validity;
• Database access is only possible for authorised services and persons;
• Rate limiting on sensitive endpoints (login, signup, coin send, avatar upload);
• Regular updates of components in use.

10 Automated decisions and profiling

No exclusively automated decision-making within the meaning of Art. 22 GDPR takes place. The approval of a selfie is always carried out manually by the Sender. Points are awarded according to fixed rules and do not lead to legal or comparably significant effects.

11 Changes to this Privacy Policy

We reserve the right to update this Privacy Policy when app functions change or the legal situation requires it. Material changes will be communicated via the app or by email.

12 Data protection contact

For questions about data protection or to exercise your rights, please contact us at:

Constantin Hirt — Data Protection
Gasborn 23
52062 Aachen
Email: support@tusentakk.app